Data privacy and GDPR compliance


Information detailed on this page should not be considered as legal advice. If GDPR does not apply to your organization or the region of your users, you should consider any other relevant data laws.

You can find legal GDPR documentation here.

About the GDPR

What GDPR-compliant means

The European Union’s General Data Protection Regulation (GDPR) is a comprehensive data privacy and protection law. It applies to any organization that collects or processes personal data from EU residents.

Non-compliance with GDPR can result in significant fines and legal action.

GDPR is similar to global data privacy regulations like California's Consumer Privacy Act (CCPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Personal data covered under the GDPR

With Riddle, you have the ability to collect personal data, particularly for lead forms. This is why it’s important to make sure you’re set up to be GDPR-compliant.

Personal data protected by the GDPR includes:

  • Name
  • Email address
  • Address
  • Photos
  • Bank details
  • Social posts
  • Medical information
  • IP address

Your responsibilities around the GDPR

You have a legal responsibility to protect any personal data you collect or process as an organization.

Quizzes are powerful data capture tools. The great news is that Riddles are built to be GDPR-compliant — although there are still a few things you need to do to ensure full compliance.

How Riddle is GDPR compliant

Riddle data is securely stored on our EU servers

All data is stored on our own servers in Germany and Luxembourg in a secure, banking-grade data center. We do not use cloud-based or shared storage services.

By default, we only store aggregate Riddle data. If you choose to collect personal data using a lead form, there are two ways you can choose to store lead data securely.

To ensure further security of data, all logins are secured by two-factor authentication (2FA).

No tracking and almost zero cookies

When an individual takes a Riddle, we do not track their personal data.

Any Riddle content you create and embed does not track:

  • IP addresses
  • Google or other US-based analytics - although you can add your own trackers and pixels if you’d like.
  • Google Fonts - we serve all Google Fonts directly from our own servers.

We add just one anonymous session cookie for your embedded content, without collecting any personal data. You can find a detailed list of how we use cookies here.

We give users full control of their data

We’re transparent with our users, and give them full control over their data.

When users fill in lead-forms, they are given the opportunity to opt-in to how their data will be stored, processed, and used.

As a Riddle creator, you can also choose to require double-opt in. This is where leads have to go through email confirmation. Only data from confirmed emails will be stored.

We do not share or sell any data

Only you and team members with accounts can view data collected from your Riddles. This includes personal, identifiable data from lead forms.

You own all the content you create with Riddle. We do not make your content searchable on our website, or repurpose it for our own materials. Users can also turn off the showcase link to make sure that your content is only visible to the audience of your choice.

How to store lead data

Riddle’s interactive content and quizzes give you the ability to collect high-quality leads. You can do this by adding a lead form into your Riddle content.

There are 3 ways you can securely store and share lead data in a GDPR-compliant way.

Store lead data in your own personal space on our servers

All data will be encrypted and can only be viewed by being decrypted when you or your team members securely log in to Riddle. Encrypted data cannot be accessed by our staff, unless your team:

Leads have the option to opt-in to how their data is stored, processed and used. If they take the Riddle but do not complete the form, their quiz responses will be shown as ‘withheld’.

Send data directly using native integrations

Connect your data to tools such as MailChimp, Google Sheets, and AWeber. We’ll securely send this data and it will never touch our servers. Check out all of our integrations here.

Send data directly to your own GDPR-compliant storage solutions

Use Zapier or a webhook to send data directly to your own secure database or a CRM platform. We’ll securely send this data and it will never touch our servers. You can read more about webhooks here.

You can also read more about how to generate leads in a GDPR-compliant way here.